2013 Royal Holloway information security thesis series

2013 Royal Holloway info security thesis series

In this guide find all the latest thesis submissions from graduates of the master of science course run by the Royal Holloway, University of London, Information Security Group.

This year's Royal Holloway, University of London, Information Security Group articles discuss topics from a variety of information security disciplines, including Wi-Fi security risks, secure payments, Android security, and secuire RFID.

Previous years' articles, including the 2012 Royal Holloway Thesis series, have focused on topics such as secure contactless payments, the risks of multi-tenancy cloud computing, and cloud security certifications.

Techtarget’s Computer Weekly is pleased to present the following articles from the best and brightest of this year's RHUL master of science graduates.

Table of contents:

Underexposed risks of public Wi-Fi hotspots

holloway All is not always as it appears when users access public Wi-Fi networks via seemingly authentic and trustworthy providers.

This article by Daan Stakenburg and Jason Crampton in our Royal Holloway Information Security Thesis series seeks to raise awareness of the underexposed risks for identity and data theft by exploring the status quo and potential developments for minimising those risks.

Fair exchange protocols with anonymity and non-repudiation for payments

holloway The integration of electronic transactions throughout the spectrum of business and our individual daily activities is undeniably widespread.

The shift from the standard bricks-and-mortar environment with point of sale (POS) transactions to the virtual, electronic, card-not-present (CNP) environment have expanded the attack surface and created the need for higher security in transactions.

This report by By Athanasios Polychronis and Konstantinos Markantonakis looks in detail at two key principles necessary for secure payments: fair exchange and non-repudiation for the participants.

Protecting against modern password cracking

holloway Attackers are increasingly turning to human psychology and the study of password selection patterns among user groups to develop sophisticated techniques that can quickly and effectively recover passwords.

Passwords are commonly protected by applying a one-way cryptographic algorithm that produces a hash of set length given any password as input. However, cryptography can only protect something to the point where the only feasible attack on the encrypted secret is to try to guess it. When it comes to passwords, guessing can be easy.

Passwords are insecure by nature because they are used to prevent humans from guessing a small secret created by humans themselves.

This article by Yiannis Chrysanthou and Allan Tomlinson shows that guessing passwords is as easy as creating them: most commonly used passwords are easy to guess and harder passwords are almost never used.

Sleeping Android: the danger of dormant permissions

holloway A weakness in the permissions architecture of the Android platform means that apps could gain access to functionality without a user’s knowledge or consent, leaving them open to exploitation or abuse by attackers. Changes to the way the Android platform authorises permission requests could compromise the security of unwary users.

Since the first commercial device was made available in October 2008, the Android platform has enjoyed a meteoric rise. In those four years it has grown to hold the greatest market share among many of the world’s most significant smartphone markets. Competing head to head with Apple’s iOS platform, the two operating systems are used in the vast majority of the world’s smartphones.

The Android platform has evolved considerably since its introduction. Since 2008, there have been 25 platform version releases – the latest being 4.2.1 – introducing 17 different API levels in that time. These releases have introduced numerous new features and, as one might expect nowadays, they have also included various bug fixes and security patches.

One area of the Android platform has undergone continued development in that time and has received close scrutiny due to its significant security role and noticeable disparity from similar mechanisms on other platforms.

This article by James Sellwood and Jason Crampton examines the Android permission architecture.

Security visualisation

holloway Have you ever been stuck looking at a list of security vulnerabilities that seems endless? – You are not alone... Even worse: All issues appear to be of high priority and of equal importance at first sight. However, given the limited amount of time and resources in practice, it is key that each of them is carefully evaluated and prioritised to take adequate steps towards mitigation. If not done properly, the lack of prioritisation many times leads to the fact that known vulnerabilities do not get fixed within an appropriate time frame – if they get fixed at all.

This is a perfect example where information visualisation can help with the process of prioritisation. What if you had a visual representation of the findings that not only shows the underlying network architecture but makes the most critical issues sticking out immediately? What if you could see from this visual the attack path and identify potential security enforcement points along that path to cut-off the attacker?

If done properly, information visualisation takes advantages of human perception. As human beings we are literally wired to see: The human visual system is often described as a flexible pattern finder that can quickly detect changes in size, color, shape, movement or texture.

This article by Marco Krebs and William Rothwell is guideline of how to generate a visual representation of a given dataset and use in the evaluation of known security vulnerabilities. Although this example is based on the output of an automated vulnerability scanner (Nessus), the suggested information visualisation process can be applied to generate any kind of visualisation.

Enabling the secure use of RFID

holloway UHF radio frequency identification (RFID) promises vastly improved data collection and the analysis of physical objects from consumables to patients. Before its full potential can be exploited, it is critical that security surrounding its use is effectively implemented to ensure the data itself is not exploited.

A few years ago, it was hard to believe that physical objects could be connected to the Internet in the same way as a file uploaded to a server, with their own IP addresses, but this is becoming a reality by the development of new low-cost technologies that could easily become widespread.

One of the technologies that allows this is UHF radio frequency identification (RFID) technology, which has the advantage of being low cost, but promises computational resources that, in a couple of years, may be adequate to overcome problems linked to information security.

The article by Dario Bevilacqua and Keith Mayes describes the design of an RFID system for identification and tracking of items that could be applied in various scenarios with an emphasis on information security.